[Snort-sigs] Mac OSX Ransomware

Paul Bottomley Paul.Bottomley at ...3813...
Thu Jul 18 06:20:58 EDT 2013


Morning!

Probably not the best written rule given the amount of matches on the regex and I'm sure there are loads of ways to write this rule (see source on pastebin link), so if anyone wants to better this feel free :)

http://blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/
http://pastebin.com/THRQ1Xp2

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"[DELIVERY] Mac OSX Ransomware Excessive iframes"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern; pcre:"/(?:<iframe\s+src=.*){150}/";............)

Thanks,
Paul


________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130718/2279c6bb/attachment.html>


More information about the Snort-sigs mailing list